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ABSTRACT 

It is widely accepted that human error is a major 
contributing factor in aircraft accidents. There has been a 
significant amount of research in why these errors 
occurred, and many reports state that the design of flight 
deck can actually dispose humans to err. This research 
has led to the call for changes in design according to 
human factors and human-centered principles. The 
National Aeronautics and Space Administration’s 
(NASA) Langley Research Center has initiated an effort 
to design a human-centered flight deck from a clean slate 
(i.e., without constraints of existing designs.) The effort 
will be based on recent research in human-centered 
design philosophy and mission management categories. 
This design will match the human’s model of the 
mission and function of the aircraft to reduce unnatural or 
non-intuitive interfaces. The product of this effort will be 
a flight deck design description, including training and 
procedures, and a cross reference or paper trail back to 
design hypotheses, and an evaluation of the design. The 
present paper will discuss the philosophy, process, and 
status of this design effort. 

HUMAN ERRORS AND GREAT EXPECTATIONS 

“We all make mistakes.” “To err is human.” 
“Nobody’s perfect.” “You can’t do everything.” We 
tend to accept these age-old cliches as common sense 
truths. They are evidenced by our everyday existence. 
We all have flipped the wrong switch, deleted an 
important file, or ventured down a hallway only to forget 
why we were there. We have all made misjudgments or 
ignored data that was contrary to our current beliefs. 
These are examples of common human behavior — not 
abnormal or erroneous human behavior. In fact, it would 
be highly unusual if we did not act this way. However, 
in the aviation industry as well as many others, in 
designing human-machine interfaces, these behavioral 
tendencies are often not considered. Designers cf 
systems often expect humans to act in unnatural ways, 
that is to say, not to be prone to these natural behaviors. 
Likewise, when accidents and incidents are investigated, 
investigators often judge humans according to super- 
human standards. 

Imagine if we designed a computer system that was 
known to generate a lot of heat and we did not provide 
cooling. If the computer failed, would we state that it 
was computer error or design error? Would we blame the 
computer for generating too much heat? No. Since it was 
understood prior to design that the computer generated 
heat and had certain cooling requirements, we would 
classify the failure as a design error. However, in aviation 


accident investigations, the causal factor for the accident 
is attributed often to air or flight crew (pilots, copilots, 
etc.) error rather than being attributed to the designs 
which do not always account for human behaviors. 

The point here is that we assign blame to humans for 
being human, for acting naturally. It is as if we had 
super-human expectations. Is it the human’s fault to 
forget a name that she just heard in a crowded party 
where she was introduced to 20 new people in five 
minutes? Is it a human error for a person to forget the 
phone number of the house he lived at fifteen years ago? 
Is it a human error for a person to get lost if his map is 
incorrect? Is it a human error for an infrequent traveler to 
ask where the “bathroom” is when the natives only 
know it as the “toilet”? In aviation flight operations, 
incidents and accidents resulting from similar events are 
routinely classified as being the flight crew’s fault. 

While there is much to learn about human behavior, we 
do have a large body of information regarding it. 
Although there are significant individual differences 
between humans, there are also many similarities. We 
know in order to perform properly, humans need to be 
aware of their surroundings; need to be alert and 
attentive; need to have authority with responsibility; 
need to understand what their role in the mission is; and 
can only deal with a small number of variables. We 
should design systems to satisfy these and other human 
requirements. However, many human-machine designs 
do not fulfill these requirements; Aircraft flight decks 
(both classic and modem) are teeming with examples cf 
such designs. 

THE AIRCRAFT FLIGHT DECK CONTEXT 

Current flight deck designs - Can vs. Should 

Current flight deck designs often take human physical 
behavior into account but rarely appear to take human 
cognitive behavior into account. For example, they will 
address factors such as visibility and legibility, and 
workload (e.g., the pilot can’t do more than ‘X’ things 
at once), but they often will not address the issue of 
whether the information or interface is intuitive. They do 
not always consider pilot performance over time. They 
usually ask the question “ Can a human operate this?” 
instead of “Is this the way the human should operate 
this?” As a result, we see a number of accidents and 
incidents which are caused, not by human error, but by 
the mismatch between human and system behavior. [1] 

Modem flight decks ( as a result of design, the design 
philosophy, training and procedures) generally present a 



mismatch between human behavior and operational 
environments. The quiet, dark cockpit philosophy 
(originally designed to reduce nuisance lights and alerts) 
has been combined with significant programmed or 
scheduled automation to create an environment which 
may lull the human into a state of inattentiveness. In 
modern flight decks, pilots do not always have authority 
over flight critical functions (e.g., electronically 
controlled engines that shut down automatically when 
they detect a failure) or that authority might be difficult 
to wield (e.g., a combination of autopilot and flight 
modes that do not allow the pilot to disengage the 
automation in “normal” ways.) Many flight decks are 
automated to the point that pilots are often reluctant to 
disagree with or override the automation, even when it is 
the pilot’s role to manage and evaluate the automation. 
In this case, the pilot essentially becomes part of the 
automation or subservient to it. Finally, pilots cf 
modern flight decks are often overwhelmed with a large 
number of modes, display types, display formats, alert 
types and messages. And, these are just some of the 
more obvious problems with current flight deck designs. 

Challenges to design 

Although it is easy to throw stones at current flight deck 
designs, it is a more difficult task to correct those 
problems. There are a number of impediments to 
modifying designs to address these problems [2]. One cf 
the biggest ones is that despite their drawbacks, the 
modem flight decks do function well (contributing to the 
overall low aircraft accident rate) and so many people are 
reluctant to change anything. However, there are those 
who believe that the only way to improve the current 
safety record in a significant way requires wholesale 
changes in the flight deck design, training, and 
procedures. A recent report by the Federal Aviation 
Administration (FAA) [3] presents a number of changes 
that would be required to address these issues. Several cf 
those changes sum to the conclusion that evolutionary, 
piece-meal design changes will not generally lead to 
significant improvements in safety. The following 
represent points from the document: Flight deck designs 
cannot be “human factored” near the end of the design; 
There is not a simple, single-point solution to every 
human factors problem; Many problems must be 
addressed in and at the total flight deck design level. 

HUMAN-CENTERED FLIGHT DECK DESIGN 

While humans are trainable, they are not nearly as 
malleable as is technology. Current flight deck design 
has been described as technology centered design — 
meaning that the technology was the primary 
consideration of the design and humans were after 
thoughts. Humans have dealt with this technology 
domination by relying on their unique traits of flexibility 
and adaptability. But, these traits have been pushed to 
the limit. Because advanced aircraft are, and will 
continue to be, so heavily automated due to demands for 
efficiency and safety, principles of human-centered design 
(giving more emphasis on human behavior) should be 
followed when designing these new aircraft, particularly 


their flight decks. Billings [4] lists and gives examples 
of these principles for human-centered automation. 

The basic tenet of these principles is the following, “The 
Human Operator Must Be in Command.” In an aircraft, 
the pilot is to remain always in command, even when he 
or she is using automation. Thus, automation, 
including air traffic management automation, must never 
remove the pilots from that command role. For 
example, pilots must be able to override the authority of 
flight control automation, even within normal operating 
limits. However, override authority by itself does in no 
way equate to command. Command entails both 
authority and awareness. Billings stresses the need for 
appropriate pilot involvement in, information about, and 
comprehension of the tasks being performed. While it is 
tempting to view this as strictly an interface problem, 
closer examination reveals that it is a systems problem. 
Information and format can assist in making complexity 
understandable, but it will not be as effective as reducing 
complexity. Likewise, displaying information about 
system status may assist the pilot in recognizing modes, 
but designing a system with only pilot induced mode 
changes will provide better awareness. Thus human- 
centered design starts at the overall function allocation 
level rather than the interface level. The design should be 
based on a human-centered design philosophy and 
should reflect both the mission goals and the pilots’ 
roles. 

Design Philosophy 

A human-centered flight deck design philosophy was 
developed at NASA Langley Research Center[5]. This 
philosophy is expressed as a set of guiding design 
principles, and is accompanied by information that will 
help focus attention on flight crew issues earlier and 
iteratively within the design process. The philosophy 
assumes that the flight crew will remain an integral 
component of the flight deck for the foreseeable future 
because human skills, knowledge, and flexibility are 
required in the safe and efficient operation of complex 
systems in an unpredictable and dynamic environment. 
The philosophy recognizes that humans and machines 
are complementary and that safety and efficiency of flight 
will be maximized when this complementary nature is 
supported by the design. The philosophy seeks to 
elevate design issues associated with the understanding 
of human performance and cooperative performance of 
humans with automation to the same level of importance 
as the past focus on purely technological issues, such as 
hardware performance and reliability. Moreover, it 
considers the importance of optimizing the combined 
flight crew/flight deck system performance above any one 
component of the total system. It also seeks to elevate 
flight crew and flight deck issues to the same level of 
importance given other aircraft design areas, such as 
aerodynamics and structural engineering. The 
philosophy includes the view that flight deck automation 
should always support various pilot roles in successfully 
completing the mission. These roles are: Pilots as team 
members; pilots as commanders; pilots as individual 
operators; and, pilots as flight deck occupants. A 



framework for detailed guidelines was presented which 
accounts for both the pilot roles and the different 
categories of flight deck features (i.e., displays, controls, 
automation, and alerts).” 

Function Allocation and Involvement 

Function allocation is an important element of flight 
deck design. It is at the heart of human-centered design. 
The following function allocation guideline was 
distilled from Billings [4] and Palmer et al. [5]: The 
pilot should, in general, be more involved in actions 
and decisions that have significant consequences on the 
overall mission, and be less involved in actions and 
decisions that are relatively deterministic, time 
constrained, tedious or repetitious, or require great 
precision. 

The purpose of involvement is to engage the pilot in the 
task. The purpose of engagement is to increase situation 
awareness. When engagement is low due to factors such 
as boredom, complacency, or fatigue, the pilot enters a 
state described by Pope and Bogart [6] as a hazardous 
state of awareness. They developed a procedure to 
identify hazardous states of awareness based on 
electroencephalogram (EEG) signals and other 
physiological indices of awareness. Their model for 
predicting whether the flight crew will experience 
inappropriate or hazardous states of awareness involves 
three sets of factors: predisposing, inducing, and 
counteracting. Examples of predisposing factors are how 
likely the individual is to become complacent, bored, or 
absorbed. Inducing factors examples are sensory 
restriction, such as monotony, and stressor preoccupation 
from life situations. The hypothesized counteracting 
factors would negate or prevent the effects of the 
predisposing and inducing factors for hazardous states. 
Examples of such factors are attentional competence, 
communication flow, and task engagement. Pope et. al. 
[7] have developed a system which measures mental task 
engagement. Because human/automation task allocation 
strongly influences task engagement, this engagement 
index can be used to evaluate various function allocation 
schemes. 

Flight Deck Mission Categories 

Abbott and Rogers [8] proposed combining human- 
centered design principles with a systems-oriented 
approach to designing new flight decks which will meet 
overall mission requirements. With this approach, they 
suggested that system integration problems would be 
reduced. This approach requires that mission 
requirements are defined before any designing of the flight 
deck or other aircraft systems occur. In their study, a 
mission goal was assumed for an aircraft to be that cf 
moving “passengers and cargo from airport gate to 
airport gate safely and efficiently.” Then, the overall 
function of the flight deck systems was assumed to be 
that of managing the mission of the aircraft. Both 
normal and abnormal situations were considered for the 
accomplishment of the mission. Four levels of mission 
management were defined: flight management, 


communications management, systems management, and 
task management. Although similar to the traditional 
pilot functions of aviate, navigate, and communicate, 
these categories are from the total flight deck perspective 
rather than from just the pilot’s. The interactions among 
these functions create blended tasks for the flight crew. 

One of the design principles from Billings [4] indicates 
that the behavior and purpose of the automation should 
be clear to the user. Thus, information relevant to the 
real task, the blended task, should be presented to the 
flight crew, and in such a way that the underlying 
function(s) or relationships are transparent to the flight 
crew. An example of how to do this is presented below. 

Task Oriented Display Design 

Abbott [9] developed a display design process based 
upon function allocation that decomposed “the user’s 
task only to a level where relevant information can be 
identified” as opposed to where a data source could be 
identified. This relevant content information may or 
may not be raw data, and can be synthesized from 
underlying data. Also, the information was presented in 
such a form as to be more appropriate for the task. 
Abbott demonstrated this task-oriented design process for 
an aircraft engine display. Using this process, pilots, in 
a simulator, had better performance with the resulting 
display over traditional displays, as well as increased 
pilot preference for the new display. This particular 
display was used by the pilot to control engine thrust 
and monitor the engine health. Rather than provide 
individual pieces of information which the pilot had to 
combine (a task ill suited for humans and not directly 
related to the task), the display presented the information 
after it was combined. This meant that information 
traditionally provided on multiple displays was 
integrated or synthesized into one display, thus reducing 
the pilot’s effort to do the task by only having to refer to 
one versus multiple displays. This synthesized 
quantitative information was presented in a form that was 
processed qualitatively by the pilots; a level cf 
processing sufficient for the task. The key to successfully 
using this function allocation process is understanding 
the real task the user or flight crew must perform. 

Fault Management 

The use of automation and the complexity of aircraft 
systems in general has increased as technologies have 
matured. Flowever, as complexity increases, so does the 
difficulty of recognizing, anticipating, and preventing 
system errors. The presence of these difficulties is called 
“brittleness” [4], [10]. To control the effect of brittleness, 
most systems require a person to be incorporated in the 
system. This places the human in the unique role of 
troubleshooter and the best and last defense. This 
approach has been identified as having human 
performance problems, especially in the cockpit. 
Parasuraman [11] points out that our responding to 
human performance issues in a complex automated 
system, such as a flight deck, has not kept up with the 
application of automation so that these issues are surfaced 
when accidents or incidents occur. One reason for having 



humans on the flight deck is to deal with problems, 
contingencies, or failures. Yet, the design of the flight 
deck and the supporting training and procedures do not 
readily address this human function. Flight crews are 
only provided training for normal operation and 
anticipated failures. If a failure is novel (unanticipated), 
the flight crew may not respond properly, as supported 
by the number of inappropriate crew responses to failures 
[12]; however, responding to novel failures is an accepted 
part of the flight crew’s job. 

Rogers et al. [13] presented a framework for real-time 
fault management which integrates three elements: 
Operational levels, which are the aircraft mission, the 
physical aircraft in an aerodynamic environment, and the 
aircraft systems; cognitive levels of control, which are 
defined as skill-based, rule-based, and knowledge-based 
behaviors; and, operational fault management tasks, 
which are detection, diagnosis, prognosis, and 
compensation. The combination of all these factors 
describe crucial fault management issues which should be 
reviewed in any flight deck system design. 

ERROR PROOF FLIGHT DECK PROGRAM 

NASA Langley Research Center has implemented a 
research program that seeks to develop a human centered 
flight deck design driven by requirements from the top 
downward, and to demonstrate the effectiveness of such a 
design in reducing crew errors while also reducing 
training costs. This program, although recognizing and 
capitalizing on the successes of the past, will not be 
constrained to designs simply because “that is the way it 
has always been done.” In this sense, we are operating 
with a clean slate. The program is called, “Error Proof 
Flight Deck.” The title emerged from the fact that human 
‘error’ is inevitable, being part of our behaviors, and 
therefore, the goal is to prevent the flight deck from 
allowing the negative consequences of these ‘errors’ to 
propagate to the mission. That is, the “error proof’ is 
from a mission perspective, not the traditional human 
error viewpoint. This program will continue for five 
years and is described below. 

The goal of this research program is to develop a top- 
down human-centered design of a flight deck. While it is 
impossible to design any system entirely ‘top down’ 
(see [2]), it is desirable to take a more integrated, and 
deliberate design approach that continually relies on the 
top mission requirements, guidelines, and principles as 
its basis. 

Design Attributes 

Some of the attributes of such an error proof flight deck 
design are the following: To provide better pilot 
awareness by reflecting his or her mental models in 
design and providing information at the level of usage 
(e.g., flight-communication-systems-task management, 
tactical-strategic); to improve pilot engagement by 
increasing his or her involvement with the task (in 
appropriate ways) without increasing workload; to 
provide involved control over all critical flight 
parameters (not just override capability); to clearly define 


the roles, functions, and responsibilities of the pilot- 
flying and pilot-not-flying in terms of the mission 
(instead of in terms of the equipment); to reduce the 
number of flight guidance modes; to appropriately 
integrate information; to insure format, context, and 
procedure consistency; and to integrate training with the 
flight deck design. 

Target Assumptions 

Prior to beginning the design, certain assumptions about 
the aircraft and its mission must be made. The mission 
chosen for this design is that of a corporate business jet. 
This aircraft was selected because it has some 
commonalities with both the commercial transport 
domain and the general aviation domain, and therefore 
would have results applicable to either. 

The Aircraft: The target aircraft normally has 2- 
crew operations but is certified for single pilot operation. 
It weighs more than 12,500 pounds and is subject to 
FAA Part 25 regulations. It is certified to operate as a 
business jet (Part 91), an air taxi (Part 135), and a 
scheduled service airline (Part 121). It is capable of 
carrying 20 to 30 passengers. It has a range of 3000 
miles (coast to coast with instrument flight rules 
reserves), a top speed of 0.9 Mach, and is powered by 
two turbo-fan engines. The aircraft is equipped with 
Automatic Dependence Surveillance B and a Global 
Positioning System/Local Area Augmentation System. 
The aircraft is equipped with a high bandwidth data link 
and a high quality voice ground communication system. 

The Mission: This target aircraft is owned by a 
company so that the pilots are employees. The aircraft is 
part of a fleet, and the pilots are part of the company’s 
crew. The pilots all have commercial ratings. The 
company is an international company so it must comply 
with Federal Aviation Regulations and the European 
Joint Aviation Regulations. Also, the flight crew is 
multi-national and the flight deck must accommodate 
multi-cultural pilots. The aircraft is capable of landing in 
Category II conditions. The flight duration ranges from 
45 minutes to 5 hours with the typical flight lasting 2 to 
2.5 hours. 

Approach 

The Error Proof Flight Deck research team at NASA 
Langley is comprised of engineers, computer scientists, 
pilots, and psychologists. The team has extensive 
experience in the aviation domain having been involved 
in numerous flight deck designs and projects. A major 
advantage for an agency such as NASA to take on this 
research project is that it can afford higher risk. Note, that 
this does not relieve the team from the responsibility of 
addressing practical operational needs such as 
certifiability, operational costs, and training; rather it 
frees the team to explore high payoff/high risk solutions. 

The general approach being taken in this effort is one of 
iterative top-down design. Each iteration provides more 
depth and breadth both in the definition of the concept 
and the evaluation of the concept. During each iteration, 



representatives from industry, the airlines, and the pilot 
community will be consulted to provide input for both 
the design and the evaluation. As the design matures, 
industry will have a greater involvement to insure that 
practical details have not been overlooked and to increase 
technology transfer. The final detailed prototype will be 
developed primarily by industry. 

Iterative Mission Decomposition: The design 

begins with the mission decomposition described above 
(flight management, communications management, 
systems management, and task management) and 
continues with the break down of that decomposition. 
Each subcategory will be defined in terms of the design 
philosophy and function allocation principles defined 
above. This includes defining the roles of the flight crew 
and the information and task requirements. Prior to 
defining the next level down, a prototype of the flight 
deck at a corresponding level of granularity will be 
developed. 

Iterative Prototyping: Once the flight crew roles, 
information, and task requirements have been defined, the 
design team will develop a prototype of the flight deck. 
Each design decision made for the flight deck will have a 
corresponding rationale that is traceable to the design 
guidelines, rather than to previous designs. The 
prototype could take the form of a narrative description, a 
collection of pictures, software (workstation) prototypes, 
concepts implemented in simulations, or even actual 
flight decks. The depth of the implementation of the 
prototype depends on the depth of the mission 
decomposition. If the mission decomposition is at a high 
level (less detailed), then the prototype will be at a high 
level (i.e., storyboard or canned computer displays). The 
deeper the decomposition, the more detailed the 
prototype. The rationale for this is both economy and 
effectiveness. When the mission decomposition is still at 
a high level, it would be premature and expensive to try 
to implement the concept in a simulation facility. 
Likewise, it would be inappropriate to carry the mission 
decomposition too far before realizing it in a prototype. 
The danger in doing so rises from the fact that as one 
performs the decomposition, it is extremely tempting 
(and, indeed, necessary) to make assumptions about the 
implementation. Formerly, these assumptions were often 
made in isolation, without regard for other systems or 
functions. This led to inconsistencies and conflicts which 
led to confusion which led to errors. However, this 
program’s iterative approach to prototyping will allow 
general principles to be established early, and when 
details necessitate a violation of those principles, they 
will be explicitly and uniformly addressed. 

Iterative Evaluation: The level of evaluation will 
depend largely on the depth of the prototype. In the 
initial phases of the program, the evaluation will likely 
be reviews by experts in the aviation and manufacturing 
fields as well as those in the human factors areas. Later in 
the workstation and early simulation phases, evaluation 
will likely require a series of operational pilots to act as 


test subjects. It is important to get a large and diverse 
pool of test subjects so that the concept will not be 
tailored to a specific class. In the final phases of testing, 
it will likely be necessary to bring in pilots to participate 
in long duration studies where they will be exposed to 
in-depth training and a more realistic operational 
environment. 

Scenario Development. An important aspect of 
evaluating any concept is the flight mission scenario 
suite that is used for evaluations. If it is too narrow or 
unrealistic, it will likely lead to inaccurate results. 
Scenarios are important because they ground the 
prototype to the real world (even if the prototype is not 
very detailed). The scenarios used in evaluation must be 
diverse and cover the extremes of the envelope. They 
should include system and functional failures, adverse 
environments, cultural differences, and stereotypical 
human behavior as well as normal operations. 

Metrics and Measures. “Improved safety, reduced 
accidents, and reduced errors” are often touted noble 
goals but are difficult to prove until many years after 
implementation. Responses to accidents and incidents 
that occur in the real world are difficult to realistically 
duplicate under controlled conditions largely because the 
experimental subjects are primed to respond in some 
way. Generally, errors are induced by increasing 
workload on these subjects. However, this increased 
workload may not be representative of real world failures. 
One way of addressing this problem is to develop error 
metrics that are based on error precursors rather than on 
the actual errors. Error precursors are events or states 
which are necessary for errors to occur, however they are 
not sufficient. The ratio of precursor events to error 
events may be very large, meaning that precursors are 
more likely than errors. Thus if the number of precursor 
events can be reduced, the number of error events should 
also be reduced. 

Product 

Perhaps the most important product from this research 
will not be the actual flight deck prototype, but rather the 
guidelines, methodologies, and learning that goes into 
creating a successful prototype. Designers may or may 
not choose to implement the actual design for a number 
of different reasons ranging from the appropriateness of 
the design to their problem, to their need to have a flight 
deck that is different from the competition. However, the 
guidelines, methodologies, and lessons learned should 
still be applicable to their design and some specific 
aspects of the design may also directly transfer to their 
design. (Note that the danger here is in taking pieces out 
of the design and incorporating them into old designs 
without addressing the overall impact of mixing the old 
with the new. This is not to say that it cannot be done, 
but that it must be done cautiously.) 

SUMMARY 

For many years, the human factors community has 
pointed out the many flaws in the human/machine 
integration in aircraft. Calls for changes in design are 



frequent, yet responses are few. This is largely due to the 
expense and risk of fundamental design changes. We 
believe that new design guidelines, methodologies, and 
prototypes are called for and that it is NASA’s role to 
establish this process. This research program is being 
implemented to meet this challenge and to take the risk. 
As mentioned above, it may not be appropriate for all 
aircraft designs. However, such a design could serve as a 
goal for the technological evolution of future flight decks. 
But first, the Error Proof Flight Deck concepts must be 
implemented, if only to create a test case or prototype, to 
assess its impact on safety and efficiency. 
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